diff --git a/mongodb/mongodb/mongodb.tf b/mongodb/mongodb/mongodb.tf
index 44c1a76..0636ed4 100644
--- a/mongodb/mongodb/mongodb.tf
+++ b/mongodb/mongodb/mongodb.tf
@@ -36,6 +36,9 @@ variable "config_ebs" {
 variable "role_node" {
   default = "false"
 }
+variable "role_monitoring" {
+  default = "false"
+}
 variable "role_opsmanager" {
   default = "false"
 }
@@ -74,6 +77,7 @@ data "template_file" "user_data" {
     config_ephemeral         = "${var.config_ephemeral}"
     config_ebs               = "${var.config_ebs}"
     role_node                = "${var.role_node}"
+    role_monitoring          = "${var.role_monitoring}"
     role_opsmanager          = "${var.role_opsmanager}"
     role_backup              = "${var.role_backup}"
     mms_group_id             = "${var.mms_group_id}"
diff --git a/mongodb/mongodb/templates/user-data.sh b/mongodb/mongodb/templates/user-data.sh
index 66e942a..bf013c5 100644
--- a/mongodb/mongodb/templates/user-data.sh
+++ b/mongodb/mongodb/templates/user-data.sh
@@ -201,7 +201,7 @@ if [ "${role_node}" == "true" ]; then
   # Automation Agent won't start without proper hostname resolution, but Route53 takes a few mins to propagate.
   echo "`curl http://169.254.169.254/latest/meta-data/local-ipv4` ${hostname}" >> /etc/hosts
 
-  # setup ssl certificates
+  # setup ssl certificates for mongodb
   SSL_PATH=/etc/mongodb/ssl
   mkdir -p $SSL_PATH
   aws s3 --region=${aws_region} cp ${mongodb_ssl_server_key_s3_object} $SSL_PATH/mongodb_ssl_server.pem
@@ -213,6 +213,35 @@ if [ "${role_node}" == "true" ]; then
   service mongodb-mms-automation-agent start
 fi
 
+#
+# Monitoring Agent (connects to OpsManager)
+#
+if [ "${role_monitoring}" == "true" ] ; then
+  # install
+  curl -k -OL http://opsmanager.universe.com:8080/download/agent/monitoring/mongodb-mms-monitoring-agent_5.4.5.370-1_amd64.deb
+  DEBIAN_FRONTEND=noninteractive dpkg --install mongodb-mms-monitoring-agent_5.4.5.370-1_amd64.deb
+
+  # setup for opsmanager
+  MONITORING_AGENT_CONFIG_FILE=/etc/mongodb-mms/monitoring-agent.config
+  OPSMANAGER_URL=`echo http://${opsmanager_subdomain}:8080 | awk '{gsub("/", "\\\/");print}'`
+  sed -i "s/mmsBaseUrl=.*/mmsBaseUrl=$OPSMANAGER_URL/" $MONITORING_AGENT_CONFIG_FILE
+  sed -i "s/mmsApiKey=.*/mmsApiKey=${mms_api_key}/" $MONITORING_AGENT_CONFIG_FILE
+
+  # setup ssl certificates for monitoring agents
+  SSL_PATH=/etc/mongodb-mms/ssl
+  mkdir -p $SSL_PATH
+  aws s3 --region=${aws_region} cp ${mongodb_ssl_server_key_s3_object} $SSL_PATH/mongodb_ssl_server.pem
+  aws s3 --region=${aws_region} cp ${mongodb_ssl_client_key_s3_object} $SSL_PATH/mongodb_ssl_client.pem
+  chmod 700 -R $SSL_PATH
+  chown -R mongodb-mms-agent:mongodb-mms-agent $SSL_PATH
+  echo "sslTrustedServerCertificates=$SSL_PATH/mongodb_ssl_server.pem" >> $MONITORING_AGENT_CONFIG_FILE
+  echo "sslClientCertificate=$SSL_PATH/mongodb_ssl_client.pem"         >> $MONITORING_AGENT_CONFIG_FILE
+  echo "sslRequireValidServerCertificates=true"                        >> $MONITORING_AGENT_CONFIG_FILE
+
+  stop mongodb-mms-monitoring-agent
+  start mongodb-mms-monitoring-agent
+fi
+
 #
 # Backup Node (connects to OpsManager)
 #